I spoke directly with the awesome guys behind the Wall of Sheep hacker group, whose motto is, “Security Awareness For the Flock.” Their mission is that of the hacker. The good kind that is. It’s about showing the world what hacking does “outside the box” to liberate technology so it can perform outside the confines of it’s original purpose. We talked about the groundbreaking results of their NFC Security Awareness Project. Wall of Sheep showed me a demo of the NFC hack they have developed that exposes a major security risk for users of this smart technology. According to the Wall of Sheep security experts I spoke with at Def Con 2013, the “potential risk comes from someone with malicious intent creating or replacing an existing NFC tag with infected content. Malicious intent can vary from collecting unauthorized information about the device to changing the device settings to delivering malicious software to the device for remote access.”
Michael Venables: How would you define “hacking” and what is it’s main objective?
Wall of Sheep: Hacking is taking anything that’s available to any individual who is looking to take that item, whether it’s technology, food, or whatever, and using it for a purpose for which it wasn’t intended. A lot of times, it’s making it better, it’s becoming some new form of innovation or it could be solving a problem that the item inherently had.
So, a really good example of hacking that’s happened since the 1900s is in the automotive industry. People would take a stock car theyd’ open it up, and they’d modify the motor and make it go faster and faster in racing. It’s not intended to do that, but they’d modified it to make it do something that wasn’t necessarily done. And that’s a form of innovation that generates new and better, faster technology. Thomas Edison, Benjamin Franklin — they’re all hackers.
Venables: Many people conflate the world of hacking into a technology movement based on malicious goals. How do you distinguish from the modification of existing systems and the guys who want to hack government agencies?
WOS: We’re about security awareness and finding ways of understanding the risks that are inherent inside of products inside the market and helping the average, everyday citizen understand how to protect themselves from that. We’re on the good side. There are certainly people with malicious intent to do bad things with technology and the information that they get.
And you can take any stock piece of equipment and turn it into something it wasn’t meant to do. Our purpose it to take something that may have an inherent flaw in it, discover what the flaw is and help educate the manufacturer about this flaw, so they can improve the product and make it better. To prevent the people who are doing malicious things from being able to continue to do that.
Venables: Tell me about Wall of Sheep and what it’s about.
WOS: Wall of Sheep was created over a decade ago, and it was a group of like-minded individuals looking at the different traffic going by.
Let me start by giving an analogy that we like to give. If you have two children sitting next to each other in a classroom. And they’re having a conversation. And the kid right behind the first kid, sitting there, breathing on his neck, listens and hears the converstion. There’s nothing illegal about that. It’s a public conversation. They’re talking out loud, and they overheard it. We do something very similar at Def Con and other conferrences. We listen to the network traffic. We’re just actively listening. We’re not hacking anything. We’re passively monitoring the traffic flows on the network. As we hear those conversations, we take that into something we can visually understand, we see a lot of people connecting to their services, such as email, FTP servers or any sort of technology, in an insecure way. And so what we do is we put them up on this wall to let them know that they just leaked their data out to the world at a hacking conference. So we offer a service. They come up to our area and they say, “Hey, I’m on the wall. Can you help me understand what I did wrong, what flaw and harden this so it doesn’t happen again. And we spend time with them, educating them, looking at the applications they’re using and we tell them about other applications besides using insecure mail and insecure FTP. There’s secure mail and secure FTP. And there is of course, VPN. We guide them and help them to secure themselves.
One of our things is that, if this is happening to the best of the best around the world at Def Con, what’s happening to the standard citizen who doesn’t understand technology. They’re just leaking their information out and they don’t know any better. So we’re hoping to raise security awareness so they know how to protect themselves.
Think about this: Def Con is known as the world’s most hostile network. It’s known. It’s a known thing all around the world. Everybody who comes to Def Con understands that Def Con has a huge number of hackers and that it’s a very dangerous place. Now why would you bring your laptop and check your email on the world’s most hostile network? It just doesn’t make sense. Well, if you don’t understand it. So what we’d like to do is to have people connect, use their email and use their services here or anywhere for that matter. You should be able to do business anywhere, if you put your proper security mechanisms in place.
And the thing that we also say, quite often is that, at this hacking conference there are people who are identified, self labelled or known to be hackers. And you’re worried about them, and you’re known to be a bit more on your guard because you’re here. But when you go home, what about the ones who are just out there doing bad things. You don’t know that they’re there. You should use the same protection there as you use here. You can’t just shut yourself off and turn off your machine. You need to continue doing things, just in a secure way.
The whole point of our project is really just security awareness. To help people get better educated on using secure protocols such as VPN. That’s really where our next project take us. it’s a new security project that we did. We worked together, partnering on this. We have these tags that are buttons. The buttons have NFC tags inside of them. We also put NFC posters all around the area. The NFC tag has a URL inside of it. All the ones that we put around here have something harmless in it. It says “Download music” or “Warning – this can be dangerous.” We have a lot of different things. We did some rickrolling just for fun. We had a good time with it.
What we have here in front of us is a demonstration of what actually can happen. About 70% of the phones on the market are old. People like to keep their smartphones. They can’t upgrade them. It costs a lot of money, so it makes sense. You wait out your contract and then you upgrade. So these phones that are older are susceptible to this tag that we’re going to show you. And what happens is we can actually have your phone touch an NFC tag, download a piece of malware without you knowing, without it prompting you and then we can take control of your phone’s SMS and get a clone of your SMS messages on ours.
Riverside had a tag that was benign. It can be a tag to download music, to get an e-book to look at a music schedule. And there are thousands of these large posters in airports that say, “Touch me to me to get some free music.” And they have these huge marketing campaigns to get people to use NFC to get discounts at local stores. It’s an emerging marketing thing right now. If you contact any marketing firm, the biggest and the hottest thing that their trying to get their clients to do is to start using NFC — interactive marketing, or active media.
So when I click okay, it’s going to download it. Basically, it’s saying, “Would you like to install this virus?” And you say, “OK” So I just touch it to install it. And this is what’s really important. It warns the user what services and resources on the device it’s going to access. [Really long list of services shown] Now if it’s just a flashlight application, it shouldn’t have this much access. It should just be able to access at most one or two things. It definitely should never be able to access networking, GPS, your address book or anything like that. And we’ve seen malware that does that in the field, in the wild. This is warning us of what it can access. So, we say, “Install” and it’s done.
As you see when opening this application it looks like Android Security Suite. I’m trying to be proactive and protect myself. I got security awareness from the Wall of Sheep. I’m installing AV (antivirus) on my phone, but this actually happens to be malware. Unfortunately, for the victim it’s a fake security suite. A common thing used on PC’s that millions of people fall for all the time. It gives you an activation code which is unique, so in case my friend grabs a copy they don’t become suspicious. If it kept showing the same code, people wouldn’t install it, so a little trickery is involved. Now I can just say, let me go home — my life is good. But, I’m pretending to be a bad guy. That [malware] got installed on the phone. (CedoxX sends a text message to the test phone). At first, nothing’s going to happen. But, when it receives the first message from anyone in the world, it’s going to go to a website that the bad guy controls. When it connects to the website as the bad guy, I’m monitoring that website. And I see that this smartphone number is infected. (Test phone receives new text message at this point). New message arrives. (CedoxX retrieves a new message on the test phone). Now that it has connected, the bad guy can control the phone.
Rick Roll’d!!!
As you can see, the bad guy would now know the phone number. I’ll just redirect them to CedoxX’s test phone. (Heal sends a command [slash + phone number] to test phone). This phone (test phone) receives it, then on his phone he’s going to get information about that [test phone]. He just received all of these different pieces of information from the phone: make, model, device ID, malware version, and Android version. Sent, just like that. From the user’s perspective, all they would see is a slash and the phone number. And they’re going to go, “Oh, it’s a typo or it’s SMS spam.” Or they think they accidentally pushed some buttons on their phone.
Screenshot of Android Security Suite-disguised malware accessing a mobile device. Image courtesy Wall of Sheep
End of the transcript of the NFC hack demoed for me by Wall of Sheep at Def Con.
WOS: Going back to the first question you asked, “What’s a hacker?” As security features, we actually hacked the malware, and changed it so anything that would go to an unknown third party has been removed and only goes to us. So in our control. So that’s a perfect definition of a hacker.
Venables: But in doing so, you’re proving that NFC has some build-in weaknesses in the design of the technology.
WOS: It has some risks, just like any technology. And if you understand the risks, you can choose to continue using it or not. Just like anything in life. Like a car, you have a risk of having an accident. Do you choose to get in the car and drive it. That’s up to you. Or, if you know the risks, you can make the decision.
We’re not saying that NFC is bad, and we’re not discouraging use. If the device, if the tag is in your control, and you know where it’s been, then it’s fine. And there are a lot of people who do that now, and it’s very safe.
Venables: How can consumers best protect the security of the data that they are sending out?
WOS: The best advice is that you can’t trust anybody and anything between you and the endpoint that you want to communicate with. A lot of people at Def Con will connect to the wireless network or the secure wireless network. That secure wireless network is hosted by a group of volunteer hackers, so you don’t know what they’re doing or listening to on the backend. And then it goes to AT&T or some ISP, and you don’t know what they’re doing or listening to. And it could bounce through a number of other places. The NOC here that’s running the secure wireless depends on services from the hotel. They connect to the hotel’s network that connects up to an ISP. There could be a lot of stuff in between the NOC that’s supporting the secure wireless before it even leaves this building. There could be taps all along that way.
The best and most simple way to do it is to use a form of virtual private network, a VPN. You connect to a VPN — it encrypts your connection from where you are to a point. And then you need to ensure that you then go from your machine to wherever you want to go through, encrypted. If you connect to the email server, you use encryption. If you are connecting to anything, you should use encryption from your device to the endpoint.
Do research on the kind of VPN company you are considering. Find out if they keep server logs. Whether or not they have multiple POPs, that they are sending the traffic out and are randomizing it, so it’s not easy for someone to identify your traffic. The other thing is that cell phones now have the capability to set up VPN, so users should be setting up VPN on their phones as well.
Practice endpoint protection as well. If you are going to install something, don’t just click through whatever is prompting you. Take the time to read it. And then keep on high alert, and ask yourself, “What are the implications if I install this? How can I remove it? Also, especially on Android, there is Endpoint Antivirus that will check to see if it is malware, and even have privacy advisors, in case they just blindly go through it, it will notify them later on that this application is trying to do something it shouldn’t. Better awareness and better protection.
Here is the cautionary tale from the Wall of Sheep security experts: Caveat usor. User beware. Practice the user awareness of the informed, cautious technology consumer. If you do receive a text message that has a slash and a phone number on your phone, beware. Your phone might be infected with malware. Until this NFC flaw is changed, this is an ongoing risk that all cell phone users should be wary of. There’s one last point. Just be glad that these guys are looking out for the protection of your data.
Special thanks to the guys of Wall of Sheep for accommodating my last-minute request for this interview and for demoing the steps of their awesome NFC hack at Def Con 2013.
Wall of Sheep is owned and operated by Aries Security and an army of
No comments:
Post a Comment